1. Field of the Invention
This invention pertains in general to computer security and in particular to assessing risks presented when providing personally identifiable information to a web site.
2. Description of the Related Art
Users are frequently required to submit personally identifiable information (PII) to web sites on the Internet. For example, users often provide usernames and passwords to web sites that provide ecommerce services, such as auction, banking, and travel-related services. Depending upon the sites, the users may also provide other types of PII such as credit card numbers, social security numbers, and the like.
Malicious attackers will establish web sites on the Internet for the purpose of surreptitiously collecting PII to enable identify theft and other crimes. One common technique is to set up a “phishing” web site that resembles a popular web site. The malicious attacker tricks the user into submitting the PII to the phishing site instead of the real site. Other web sites, while not malicious per se, may have lax security practices or other factors that make the sites untrustworthy.
In view of these risks, security software vendors try to prevent users from providing PII to untrustworthy web sites. However, identifying such sites is a difficult problem. Some vendors use whitelists of known trustworthy web sites to prevent users from submitting PII to sites not on the list. Other vendors, in contrast, use blacklists of known untrustworthy web sites to prevent users from submitting PII to sites on the list. These lists are expensive to maintain and can rapidly become outdated as new sites emerge. Some security software vendors use heuristics to identify untrustworthy sites. However, malicious attackers can defeat the heuristics, and the heuristics occasionally generate false positive detections of untrustworthy sites. Accordingly, the problems associated with malicious and/or untrustworthy web sites are ongoing.